crypt32: Add basic constraints to chain quality selection algorithm.

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 3b618fa2d4934d87167e8ff27997e5c5dff50059..7bb72fa587236e24c185e29454a1c23d7cb7f398 100644 (file)
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -1704,14 +1704,16 @@ static PCertificateChain CRYPT_BuildAlternateContextFromChain(
     return alternate;
 }
 
-#define CHAIN_QUALITY_SIGNATURE_VALID 8
-#define CHAIN_QUALITY_TIME_VALID      4
-#define CHAIN_QUALITY_COMPLETE_CHAIN  2
-#define CHAIN_QUALITY_TRUSTED_ROOT    1
+#define CHAIN_QUALITY_SIGNATURE_VALID   0x16
+#define CHAIN_QUALITY_TIME_VALID        8
+#define CHAIN_QUALITY_COMPLETE_CHAIN    4
+#define CHAIN_QUALITY_BASIC_CONSTRAINTS 2
+#define CHAIN_QUALITY_TRUSTED_ROOT      1
 
 #define CHAIN_QUALITY_HIGHEST \
  CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
- CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_TRUSTED_ROOT
+ CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
+ CHAIN_QUALITY_TRUSTED_ROOT
 
 #define IS_TRUST_ERROR_SET(TrustStatus, bits) \
  (TrustStatus)->dwErrorStatus & (bits)
@@ -1723,6 +1725,9 @@ static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
      CERT_TRUST_IS_UNTRUSTED_ROOT))
         quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
+    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
+     CERT_TRUST_INVALID_BASIC_CONSTRAINTS))
+        quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
      CERT_TRUST_IS_PARTIAL_CHAIN))
         quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;